Share via

DNS timestamp, scavenging, and permissions

Zachary Hamilton 201 Reputation points
2021-07-02T16:37:38.927+00:00

Hello,

I would like to enable DNS scavenging on the network at my new job. We have two domain controllers running Windows Server 2019. It looks like DNS scavenging was partially turned on before I got here. It is turned on in several of the zones, but not at the DNS server level. As such, the two domain controllers appear to be synchronizing DNS timestamps, but aren't actually scavenging anything.

My concern at this time is that the DNS Timestamps are not being updated for all servers and clients. As an example, I have two servers, DFS-FILE1 and DFS-FILE2, as follows:

Name Type Data Timestamp
DFS-FILE1 Host (A) 172.30.25.32 5/25/2020 11:00:00 PM
DFS-FILE2 Host (A) 172.30.25.33 6/27/2021 1:00:00 AM

I have found a difference between the two in the Properties -> Security tab. DFS-FILE2 has an entry for "DFS-FILE2$". DFS-FILE1 has an SID listed (S-1-5-21-2379.... etc.). All other permissions are the same.

I checked Active Directory, and both machine names are there. So a few questions/concerns:

  1. What would happen if I delete DFS-FILE1 (or it was scavenged) from DNS? Would it break that server? Would it repopulate in DNS?
  2. Do I need to add back the "DFS-FILE1$" permission? If so, how? If I try to do it, I only see "DFS-FILE1" as a computer account, not the user account with "$" at the end. Would this matter?
  3. I think there is some confusion with the definition of "static" that I want to clear up. Most of our servers have a static IP address assigned locally on the machine, so the IP address is static from the server's perspective. However, when that server updates DNS, that is a dynamic entry from DNS's perspective, correct? It would only be static from the DNS perspective if an entry were manually made in the DNS Manager console. Is that right?
  4. I have a decently sized environment, so I'm concerned about being able to fix this on a large scale as opposed to having to go machine to machine.

Thanks,

Zachary Hamilton

Windows DHCP
Windows DHCP
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.DHCP: Dynamic Host Configuration Protocol (DHCP). A communications protocol that lets network administrators manage centrally and automate the assignment of Internet Protocol (IP) addresses in an organization's network.
1,026 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Candy Luo 12,671 Reputation points Microsoft Vendor
    2021-07-05T09:01:46.947+00:00

    Hi ,

    1.If you want to enable the DNS Aging and Scavenging, you must Enable Scavenging on the DNS Zone and DNS server, otherwise, the stale resource records cannot be removed from DNS server. 111790-1.png

    111778-2.png

    2.By default scavenging only works on timestamps, so any DNS record with a timestamp will get processed and possibly deleted.

    Static IP address assigned machine doesn't mean it it is a static record. If you don't want to scavenge those static IP address assigned server, you just uncheck the box of Delete this record when it becomes stale.

    111759-3.png

    For your reference:

    How to Configure DNS Aging and Scavenging (Cleanup Stale DNS Records)

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    3. > What would happen if I delete DFS-FILE1 (or it was scavenged) from DNS? Would it break that server? Would it repopulate in DNS?

    Computers with statically assigned IP addresses will update their DNS-records periodically. By default, computers that have statically assigned servers register their records every 24 hours. So, if you delete the record, they will register back again periodically.

    Best Regards, Candy

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  2. Candy Luo 12,671 Reputation points Microsoft Vendor
    2021-07-07T09:39:34.117+00:00

    Hi Zachary Hamilton,

    Thanks for your clarify. I have some misunderstanding on your question. Now, based on my understanding, the record of DFS-FILE1 has a lack of timestamp update which means the record cannot be updated normally. And you find there is an orphaned SID listed in the security tab. As picture below:

    112308-image.png

    Is that right? Please feel free to let me know if I have any misunderstanding.

    As far as I know, orphaned SID always occurs on when you re-imaged or the OS is just reinstalled without removing the DNS record nor removing the AD computer account.

    Check if the following article can help with you:

    How to Fix Dynamic DNS Record Permissions in Active Directory

    The following scripts are talking about tools to fix orphaned DNS records:

    https://github.com/kingsleyck/DnsScavengingPrep

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Best Regards,
    Candy

    --------------------------------------------------------------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  3. Girdhar Sharma 1 Reputation point
    2022-12-20T09:02:49.173+00:00

    Hi, required simple answer to a question

    We are planning to enable DNS scavenging today and duration will be one day.

    Will this delete or impact all the static and dynamic records?

    Some of the servers are having Dynamic record even if that are having static IP at the time of domain joining, how it works?

    Regards
    Girdhar Sharma

    0 comments